What’s Wrong With This TJX Picture?
In the April 12 entry on the fine StorefrontBacktalk blog, Evan Schuman points out that, while many consumers may say they have concerns about identity theft, their actions suggest an altogether different reality.
Case in point, according to Mr. Schuman, is TJX Cos. The owner of T.J. Maxx, Marshalls, HomeGoods, A.J. Wright and Bob’s Stores just reported an 11 percent increase in revenues despite being victimized by thieves in what may turn out to be the largest data breach in retailing history.
Consumers’ apparent indifference to TJX may be due, in part, to the belief that zero liability plans leave them immune to any real financial hardship if their credit cards are stolen, according to Mr. Schuman.
So what about consumers who say they would take their business elsewhere if a merchant is not able to keep their personal information secure?
“People make decisions about survey answers in a hypothetical ideal state,” Mr. Schuman wrote. “Indeed, they may like to say that they would never frequent such a merchant. But when they need clothing for their child and there’s this awesome sale at T.J. Maxx two blocks away, the platonic ideal of punishing reckless security deployments pales in comparison to finding jeans that fit well at a good price.”
Mr. Schuman also sees another potential downside to the financial results posted by TJX.
“Large retailers are watching the TJX case very closely and they are going to learn some very bad lessons,” he wrote. “They already assume that they probably won’t get hacked and that if they do, it won’t be bad. And if it is bad, they’ll be able to keep it somewhat quiet. (Reality is not the exec’s friend in these thought processes.) And if it does get out, what’s the worst that could happen? TJX has gotten an avalanche of horrible publicity and their revenue grew 11 percent.”
Discussion Questions: How do you explain the apparent indifference consumers have regarding the data theft at TJX? What (good or bad) lessons are there in the TJX case for other retailers?
Consumers are not yet as concerned about security as they pretend to be, at least not until something bad happens to the consumer him or herself, or someone he or she knows well. Other consumers view the chances of having their identity stolen as the same as being struck by lightening, “it’s always possible but it probably will happen to someone else, but not me.”
We live in a credit society, and many consumers feel a false sense of security that technology emboldens them with as an anonymous protection. Unfortunately, for those who awaken from this false slumber when their identity is stolen or compromised, technology is often a 2-edged sword. The same placation that enables consumers to overspend on their credit cards, is the same false sense that leaves them feeling protected, despite all of the news stating the opposite.
This is exactly what has happened with TJX. If we changed the name from TJX to that of any large bank, consumers would not only be outraged, but would immediately pull their funds and not do business at the bank. Unfortunately, the risks are the same, but the consumer impressions are vastly different. Their indifference is a reflection of our society’s lack of understanding of technology and the implications it has on our individual credit. TJX will continue to avoid a very costly bullet because of this indifference.
I think so many other things are competing for consumers’ attention that the security breach just isn’t top-of-mind. And I do think there’s a bit of it-hasn’t-happened-to-me so-it-probably-won’t bravado working too, so the sale of the moment predominates.
Ultimately, that’s good news for our economy. Two things that hobble development in other parts of the world are the lack of much of a legal infrastructure for partnerships and corporations and– more important–a lack of trust among participants in the system. When everyone in a transaction is expecting to come out of it worse off, it makes it much harder for that transaction to happen.
Let’s be careful about the assumptions we make when we discuss this issue. I believe I see the following assumptions in the discussion set-up:
– Many or most of TJX’s consumers knew about the TJX theft.
– The rise in TJX revenues would not have been higher if the theft had not occurred.
– Consumers are not worried about identity theft if they make purchases from a store that they know has lost credit card data.
I am not sure these are valid assumptions given the facts we are presented.
To some extent the identity theft of records in cases like this, Bank of America, the government…seem to be beyond the reach of comprehension when emails from bogus lottery winning announcements continue to flood our in-boxes.
I believe that most consumers do not fault retailers like TJX in cases like this unless there is a complete breakdown in competence.
So far as consumers are concerned, they may feel (or perceive) that TJX is offering better value (either in terms of price or stock assortment, or both) and therefore, they continue to shop there, believing that “it won’t happen to them,” meaning that their’s will not be the information that will be lost or has been lost. It is like many people driving over the speed limit thinking that an accident won’t happen to them.
My husband worked at Internet Security Systems and I was continuously shocked at the number of hacked systems and stolen data incidences that went down that never saw the light of day. It happens all of the time but, fortunately for many, they don’t all become big news stories.
We are under a somewhat false sense of security, but it’s the same issue when we hand a credit card to a waiter at a restaurant. There’s only so much you can do so we must be aware and protect ourselves as best as we can…and hope that the companies that we do business with do the same.
I agree with Race. I’m not sure that a lot of consumers really tracked the TJX story or made the connection between TJX and, say, their local Marshall’s.
But consumers do go through some strange mental gymnastics around security and privacy that I don’t think we as an industry understand well. For example, my father-in-law refuses to shop online, because he’s worried his credit card data will be stolen. But he gets mad when, on the phone with his credit card company, they want his CVV2 number off the back of the card in order to verify he is who he says he is.
In trying to balance risk, cost, and minimal due diligence, it’s not easy for retailers to figure out what’s important, when they get conflicting signals like that. But I won’t let TJX off the hook–yes, they were a victim, but I find it tremendously hard to believe that they were doing even the minimum they could to prevent something like this, when the thieves were running software they had loaded on to TJX systems themselves. And while consumers may not have penalized them (which is disappointing), there are plenty of other costs they will face as a result of this fiasco.
I concur that many consumers have not made the connection between the TJX data breach and their own personal vulnerability as a consequence of that breach.
We only received our 1st communication directly from TJX on the 4th of April. The letter could not have been more blandly worded and simply advised us of what we needed to or should do as a result of their data breach.
While an inconvenience, the theft of one’s identity due to TJ Maxx lack of internal security poses the threat of little if any loss. Any good attorney will tell you that in this case there are a lot of people willing to cover your loss and also pay you for their lack of security. My wife’s card information was in the TJ Maxx data base. However the shopping experience at TJ Maxx is such that she continues to trade with them. The kind of identity theft that hits the hardest is when you information is stolen by a waiter at a restaurant, who sells it to a buddy, who then buys a big screen TV at Circuit City online and picks it up in his local store.
Unless the customer actually had their credit card information used, could trace it to TJX, and it was a huge hassle I doubt it would really keep a consumer from shopping there.
My credit card number has actually been used inappropriately twice, while my card was in my possession. Who knows, maybe the thieves did get it from my shopping at TJ Maxx, but the card company said that it is likely that the thieves used a computer generated system to come up with valid numbers at random. Each time the credit card company took care of it with no cost and little inconvenience to me. They even overnighted a new card to me on vacation.
I think that credit card numbers can be stolen a number of ways, but given the breach, I would think TJX might be one of the safest places to go, since I would assume they have put measures in place to make it secure. You don’t necessarily have that assurance from other retailers.
If security breach incidents keep occurring at their current rate, customers won’t be able to find many businesses that haven’t had a problem. It’s like the airline experience: anyone who flies a lot realizes just how few “good” airlines exist. It’s hard to restrict your travel solely to the “good” airlines. Soon it will be hard to find the few businesses that haven’t had security breaches. TJX isn’t alone and certainly will be lost in the mob.